I'm not sure if the HTTP flow card has inputs for basic authentication username and password. Nevertheless, what should work is setting your own header.

First get your API key, add a ":" to the end and base 64 encode it (there are some websites that will do this for you). Then set the header to "Authorization: Basic ENCODED_KEY" where ENCODED_KEY is the base 64 string.

Yes, there are sections for username and password. I have tried these (using my login email as username) and still get an unauthorized error. I have also tried adding the api key to the "enter key" field, but with no luck.

Caveat - I don't use Flow myself but have been through the same login confusion. The API key is the only bit of info you would supply when accessing the API. This corresponds to the "username". You don't need your supply your email. There is no password.

I don't know if Flow will handle authentication by adding a header like this but here's what I'd try:

a) Remove the Authentication part from your request (fields C and D, and presumably Authentication would be "None", blank or somesuch).

b) Encode your API key as london says above:

london:

First get your API key, add a ":" to the end and base 64 encode it

c) Say the last step gave you "QWxhZGRpbjpPcGVuU2VzYW1l". In the Headers part of your screenshot (A and B) you enter "Authorization" as the key (A) and "Basic QWxhZGRpbjpPcGVuU2VzYW1l" as the value (B) - obviously you don't enter the quote marks in the fields.

Option 2) (Not recommended for security but would test your API key) you can forgo all the Authentication part of your form, and just add your API key to the URL - so if you had API key "someAPIKey" then in your example you'd request GET with the URI:

https://someAPIKey:@api.companieshouse.gov.uk/company/07170126

Again you'll see that there's nothing where the password would normally go (after colon) as CH doesn't use one.

In the context of an HTTP transaction, basic access authentication is a method for an HTTP user agent to provide a user name and password when making a request. It is specified in RFC 7617 (which obsoletes RFC 2617).